In Microsoft Exchange Server 2007, the Content
Filter agent is the next generation of Exchange Intelligent Message
Filter, which is included with Exchange Server 2003.

Intelligent Message Filter is based on patented machine-learning
technology from Microsoft Research. During its development,
Intelligent Message Filter learned the distinguishing
characteristics of legitimate messages and unsolicited commercial
e-mail messages (spam), which were submitted by Microsoft partners
and classified as either legitimate messages or spam.

Intelligent Message Filter evaluates inbound e-mail messages and
assesses the probability that an inbound message is legitimate or
spam. Unlike many other filtering technologies, Intelligent Message
Filter uses characteristics from a statistically significant sample
of e-mail messages. The inclusion of legitimate messages in this
sample reduces the chance of mistakes. Because Intelligent Message
Filter recognizes characteristics of legitimate messages and spam,
the accuracy of Intelligent Message Filter is increased.

Intelligent Message Filter machine-learning is an ongoing,
cumulative process. Updates to Intelligent Message Filter are
available periodically through Microsoft Update.

Using the Content Filter
Agent

The Content Filter agent is one of several anti-spam
agents. When you configure anti-spam agents on a computer that has
the Edge Transport server role installed, the agents act on
messages cumulatively to reduce the amount of spam that enters the
organization. For more information about how to plan and deploy
anti-spam agents, see Anti-Spam and Antivirus
Functionality.

The Content Filter agent assigns a spam confidence
level (SCL) rating to each message. The SCL rating is a number
between 0 and 9. A higher SCL rating indicates that a message is
more likely to be spam.

You can configure the Content Filter agent to take the
following actions on messages according to their SCL rating:

Delete message

Reject message

Quarantine message

For example, you may determine that messages that have
an SCL rating of 7 or higher must be deleted, messages that have an
SCL rating of 6 must be rejected, and messages that have an SCL
rating of 5 must be quarantined.

You can adjust the SCL threshold behavior by assigning
different SCL ratings to each of these actions. For more
information about how to adjust the SCL threshold to suit your
organization's requirements and about per-recipient SCL thresholds,
see Adjusting
the Spam Confidence Level Threshold.

Note:

Messages that are over 11 MB are not scanned by the
Intelligent Message Filter. Instead, they pass through the Content
Filter without being scanned. However, the default maximum message
size limit configured on Exchange 2007 Receive connectors
is 10 MB. Therefore, the 11 MB threshold for the
Intelligent Message Filter is not a practical concern in the
default Exchange configuration.

Allow
Phrases and Block Phrases

You can customize how the Content Filter agent assigns
SCL values by configuring custom words. Custom words are individual
words or phrases that the Content Filter agent uses to apply
appropriate filter processing. You configure approved words or
phrases with Allow phrases and unapproved words or phrases with
Block phrases. When the Content Filter agent detects a
preconfigured Allow phrase in an inbound message, the Content
Filter agent automatically assigns an SCL value of 0 to the
message. Alternatively, when the Content Filter agent detects a
configured Block phrase in an inbound message, the Content Filter
agent assigns an SCL rating of 9.

Outlook
E-mail Postmark Validation

The Content Filter agent also includes
Microsoft Office Outlook E-mail Postmark validation, a
computational proof that Outlook applies to outgoing messages to
help recipient messaging systems distinguish legitimate e-mail from
junk e-mail. This feature helps reduce the chance of false
positives. In the context of spam filtering, a false
positive exists when a spam filter incorrectly identifies a
message from a legitimate sender as spam. When Outlook E-mail
Postmark validation is enabled, the Content Filter agent parses the
inbound message for a computational postmark header. The presence
of a valid, solved computational postmark header in the message
indicates that the client computer that generated the message
solved the computational postmark.

Computers do not require significant processing time to
solve individual computational postmarks. However, processing
postmarks for many messages may be prohibitive to a malicious
sender. Anyone who sends millions of spam messages is unlikely to
invest the processing power that is required to solve computational
postmarks for all outbound spam. If a sender's e-mail contains a
valid, solved computational postmark, it is unlikely that the
sender is a malicious sender. In this case, the Content Filter
agent would lower the SCL rating. If the postmark validation
feature is enabled and an inbound message either does not contain a
computational postmark header or the computational postmark header
is not valid, the Content Filter agent would not change the SCL
rating.

Bypassing
the Recipient, Sender, and Sender Domain

In some organizations, all e-mail to certain aliases
must be accepted. This scenario can introduce problems if your
organization is in an industry that manages significant volumes of
spam.

For example, a company named Woodgrove Bank has an
alias named customerloans@woodgrovebank.com that provides
e-mail-based support to external loan customers. The Exchange
administrators configure the Content Filter agent to set Block
phrases that filter out words or phrases that are typically used in
spam that is sent by unscrupulous loan agencies. To prevent
potentially legitimate messages from being rejected, the
administrators set exceptions to content filtering by entering a
list of SMTP e-mail recipient addresses in the Content Filter agent
configuration.

You can also specify senders and sender domains that
you do not want the Content Filter agent to block.

Safelist
Aggregation

In Exchange Server 2007, the Content Filter
agent on the Edge Transport server uses the
Microsoft Office Outlook 2003 Safe Senders Lists,
Safe Recipients Lists, and trusted contacts from Outlook to
optimize spam filtering. Safelist aggregation is a set of
anti-spam functionality that is shared across Outlook and
Exchange Server 2007. As its name suggests, this
functionality collects data from the anti-spam safe lists that
Outlook users configure and makes this data available to the
anti-spam agents on the Edge Transport server. When an Exchange
administrator enables and correctly configures safelist
aggregation, the Content Filter agent passes safe e-mail messages
to the enterprise mailbox without additional processing. E-mail
messages that Outlook users receive from contacts that those users
have added to their Outlook Safe Recipients List, Safe Senders
List, or trusted contacts list are identified by the Content Filter
agent as safe. For more information, see Safelist
Aggregation.

Configuring
the Content Filter Agent

You configure the Content Filter agent by using the
Exchange Management Console or the Exchange Management Shell.

Important:

Configuration changes that you make to the Content Filter agent
by using the Exchange Management Console or the Exchange Management
Shell are only made to the local computer that has the Edge
Transport server role installed. If you have multiple instances of
the Edge Transport server role running in your organization, you
must make Content Filter configuration changes to each
computer.